diff --git a/Composite-MLDSA-2024.asn b/Composite-MLDSA-2024.asn index 2fc4a30..864946d 100644 --- a/Composite-MLDSA-2024.asn +++ b/Composite-MLDSA-2024.asn @@ -258,18 +258,18 @@ sa-MLDSA65-RSA4096-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= pk-MLDSA65-RSA4096-PKCS15-SHA512 } -- TODO: OID to be replaced by IANA -id-MLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= { +id-MLDSA65-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) entrust(114027) algorithm(80) composite(8) signature(1) 28 } -pk-MLDSA65-ECDSA-P256-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA65-ECDSA-P256-SHA512, +pk-MLDSA65-ECDSA-P384-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-ECDSA-P384-SHA512, EcCompositeSignaturePublicKey} sa-MLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ - id-MLDSA65-ECDSA-P256-SHA512, - pk-MLDSA65-ECDSA-P256-SHA512 } + id-MLDSA65-ECDSA-P384-SHA512, + pk-MLDSA65-ECDSA-P384-SHA512 } -- TODO: OID to be replaced by IANA diff --git a/draft-ietf-lamps-pq-composite-sigs.md b/draft-ietf-lamps-pq-composite-sigs.md index fb9a970..5fd0427 100644 --- a/draft-ietf-lamps-pq-composite-sigs.md +++ b/draft-ietf-lamps-pq-composite-sigs.md @@ -629,12 +629,11 @@ Signature public key types: | id-MLDSA44-RSA2048-PKCS15-SHA256 | <CompSig>.22 | id-ML-DSA-44 | sha256WithRSAEncryption | id-sha256 | | id-MLDSA44-Ed25519-SHA512 | <CompSig>.23 | id-ML-DSA-44 | id-Ed25519 | id-sha512 | | id-MLDSA44-ECDSA-P256-SHA256 | <CompSig>.24 | id-ML-DSA-44 | ecdsa-with-SHA256 with secp256r1 | id-sha256 | -| id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 | <CompSig>.25 | id-ML-DSA-44 | ecdsa-with-SHA256 with brainpoolP256r1 | id-sha256 | | id-MLDSA65-RSA3072-PSS-SHA512 | <CompSig>.26 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 | | id-MLDSA65-RSA3072-PKCS15-SHA512 | <CompSig>.27 | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 | | id-MLDSA65-RSA4096-PSS-SHA512 | <CompSig>.34 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 | | id-MLDSA65-RSA4096-PKCS15-SHA512 | <CompSig>.35 | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 | -| id-MLDSA65-ECDSA-P256-SHA512 | <CompSig>.28 | id-ML-DSA-65 | ecdsa-with-SHA512 with secp256r1 | id-sha512 | +| id-MLDSA65-ECDSA-P384-SHA512 | <CompSig>.28 | id-ML-DSA-65 | ecdsa-with-SHA512 with secp384r1 | id-sha512 | | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | <CompSig>.29 | id-ML-DSA-65 | ecdsa-with-SHA512 with brainpoolP256r1 | id-sha512 | | id-MLDSA65-Ed25519-SHA512 | <CompSig>.30 | id-ML-DSA-65 | id-Ed25519 | id-sha512 | | id-MLDSA87-ECDSA-P384-SHA512 | <CompSig>.31 | id-ML-DSA-87 | ecdsa-with-SHA512 with secp384r1 | id-sha512| @@ -657,12 +656,11 @@ As mentioned above, the OID input value is used as a domain separator for the Co | id-MLDSA44-RSA2048-PKCS15-SHA256 |060B6086480186FA6B50080116| | id-MLDSA44-Ed25519-SHA512 |060B6086480186FA6B50080117| | id-MLDSA44-ECDSA-P256-SHA256 |060B6086480186FA6B50080118| -| id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 |060B6086480186FA6B50080119| | id-MLDSA65-RSA3072-PSS-SHA512 |060B6086480186FA6B5008011A| | id-MLDSA65-RSA3072-PKCS15-SHA512 |060B6086480186FA6B5008011B| | id-MLDSA65-RSA4096-PSS-SHA512 |060B6086480186FA6B50080122| | id-MLDSA65-RSA4096-PKCS15-SHA512 |060B6086480186FA6B50080123| -| id-MLDSA65-ECDSA-P256-SHA512 |060B6086480186FA6B5008011C| +| id-MLDSA65-ECDSA-P384-SHA512 |060B6086480186FA6B5008011C| | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 |060B6086480186FA6B5008011D| | id-MLDSA65-Ed25519-SHA512 |060B6086480186FA6B5008011E| | id-MLDSA87-ECDSA-P384-SHA512 |060B6086480186FA6B5008011F| @@ -752,12 +750,11 @@ The following table lists the MANDATORY HASH algorithms to preserve security and | id-MLDSA44-RSA2048-PKCS15-SHA256 | SHA256 | | id-MLDSA44-Ed25519-SHA512 | SHA512 | | id-MLDSA44-ECDSA-P256-SHA256 | SHA256 | -| id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 | SHA256 | | id-MLDSA65-RSA3072-PSS-SHA512 | SHA512 | | id-MLDSA65-RSA3072-PKCS15-SHA512 | SHA512 | | id-MLDSA65-RSA4096-PSS-SHA512 | SHA512 | | id-MLDSA65-RSA4096-PKCS15-SHA512 | SHA512 | -| id-MLDSA65-ECDSA-P256-SHA512 | SHA512 | +| id-MLDSA65-ECDSA-P384-SHA512 | SHA512 | | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | SHA512 | | id-MLDSA65-Ed25519-SHA512 | SHA512 | | id-MLDSA87-ECDSA-P384-SHA512 | SHA512| @@ -869,11 +866,6 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ - Description: id-MLDSA44-ECDSA-P256-SHA256 - References: This Document -- id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 - - Decimal: IANA Assigned - - Description: id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 - - References: This Document - - id-MLDSA65-RSA3072-PSS-SHA512 - Decimal: IANA Assigned - Description: id-MLDSA65-RSA3072-PSS-SHA512 @@ -894,9 +886,9 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ - Description: id-MLDSA65-RSA4096-PKCS15-SHA512 - References: This Document -- id-MLDSA65-ECDSA-P256-SHA512 +- id-MLDSA65-ECDSA-P384-SHA512 - Decimal: IANA Assigned - - Description: id-MLDSA65-ECDSA-P256-SHA512 + - Description: id-MLDSA65-ECDSA-P384-SHA512 - References: This Document - id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 @@ -926,16 +918,15 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ - # Security Considerations + ## Public Key Algorithm Selection Criteria The composite algorithm combinations defined in this document were chosen according to the following guidelines: 1. RSA combinations are provided at a key size of 2048, 3072, and 4096 bits matched with NIST PQC Level 2 and 3 algorithms. -1. Elliptic curve algorithms are provided with combinations on each of the NIST [RFC6090], Brainpool [RFC5639], and Edwards [RFC7748] curves. NIST PQC Levels 1 - 3 algorithms are matched with 256-bit curves, while NIST levels 4 - 5 are matched with 384-bit elliptic curves. This provides a balance between matching classical security levels of post-quantum and traditional algorithms, and also selecting elliptic curves which already have wide adoption. -1. NIST level 1 candidates are provided, matched with 256-bit elliptic curves, intended for constrained use cases. +1. Elliptic curve algorithms are provided with combinations on each of the NIST [RFC6090], Brainpool [RFC5639], and Edwards [RFC7748] curves. NIST PQC level 1 candidates are provided, matched with 256-bit elliptic curves, intended for constrained use cases. NIST levels 3 algorithms are matched with NIST 384-bit, brainpool 256-bit and and Ed25519 curves, while NIST level 5 are matched with 384-bit elliptic curves. This provides a balance between matching classical security levels of post-quantum and traditional algorithms, and also selecting elliptic curves which already have wide adoption. If other combinations are needed, a separate specification should be submitted to the IETF LAMPS working group. To ease implementation, these specifications are encouraged to follow the construction pattern of the algorithms specified in this document. @@ -1001,7 +992,7 @@ This section provides references to the full specification of the algorithms use | ----------- | ----------- | ----------- | | secp256r1 | iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) 7 | [RFC6090] | | secp384r1 | iso(1) identified-organization(3) certicom(132) curve(0) 34 | [RFC6090] | -| brainpoolP256r1 | iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecStdCurvesAndGeneration(8) ellipticCurve(1) versionOne(1) 7 | [RFC5639] | +| brainpoolP256r1 | iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecStdCurvesAndGeneration(8) ellipticCurve(1) versionOne(1) 7 | [RFC5639] | | brainpoolP384r1 | iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecStdCurvesAndGeneration(8) ellipticCurve(1) versionOne(1) 11 | [RFC5639] | {: #tab-component-curve-algs title="Elliptic Curves used in Composite Constructions"}